Cybersecurity Maturity Model Certification FAQ

1)   What is CMMC Compliance?

The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) program for their contractors and subcontractors to demonstrate that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) is adequately safeguarded. CMMC builds on existing cybersecurity requirements by mandating that contractors and subcontractors undergo Self-Assessments, Third Party Assessments, or Government-led Assessments, as required to ensure that CMMC’s information protection requirements have been met.

To protect American innovations and national security information, the U.S. Department of Defense (DoD) has developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of Defense Industrial Base (DIB) cybersecurity for safeguarding the information that supports and enables our Department of Defense (DoD).

2) What are the CMMC Requirements?

CMMC requirements are organized in three levels:

CMMC Level 1 – includes 17 requirements corresponding with Federal Acquisition Regulation (FAR) clause 52.204-21 (b)(1) and is expected to apply to contractors who store, process or transmit Federal Contract Information (FCI).

CMMC Level 2 – includes 110 requirements from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 2, and is expected to apply broadly to contractors who store, process, or transmit Controlled Unclassified Information (CUI).

CMMC Level 3 – has 24 selected requirements from the NIST SP 800-172 in addition to full implementation of NIST SP 800-171 and is expected to apply to a small group of DoD contractors who store, process or transmit high-value Controlled Unclassified Information (CUI).

The proposed assessment requirements include a mixture of self-assessments and third-party assessments depending upon the criticality of the data.

3) How should my organization prepare for CMMC Assessments?

The following plan should be implemented to prepare for CMMC assessments, manage risk and optimize success:

A) Develop and Refine a System Security Plan (SSP) – In order to prepare for a self-assessment or certification assessment, a company must complete the necessary documentation, including an SSP describing how security controls are implemented. Please note that an SSP is required for Level 2 and is not required for Level 1.

B)  Develop an Enterprise-Wide Compliance Strategy – A robust engagement with all stakeholders of a compliance team is necessary to develop a compliance strategy that includes how the company will manage and safeguard its data.

C) Consider a Dedicated Federal Environment - Depending upon the volume of regulated data a company possesses and the degree of challenge implementing security controls company-wide, a company may consider creating a dedicated environment to store its regulated data.

Segmenting regulated data in a dedicated environment can reduce legal risk by limiting requirements and streamlining technical implementation while decreasing resource costs.

D) Conduct Privileged Compliance Assessments – Contractors should conduct compliance assessments under attorney-client privilege to test their ability to meet the requirements enumerated in CMMC without exposing the company to risk if gaps are found.

E) Develop and Refine Corporate Policies – Companies should establish a practice of devising robust internal cybersecurity policies, developing incident response plans and other governance documents, and updating all for accuracy. While not required for Level 1, having this basic set of policies would be considered best-in-class to establish that a cybersecurity practice exists.

While technical solutions are integral to meeting CMMC requirements, a company’s cybersecurity is only as effective as the policies it adopts governing the use of such technology and regulating the data traversing it.

4) What are the changes with CMMC 2.0?

Changes from CMMC 1.0 to 2.0 include the following:

• The model has been streamlined from 5 to 3 compliance levels. 
• Utilizes National Institute of Standards and Technology (NIST) cybersecurity standards. 
• Allows all companies at Level 1, and a subset of companies at Level 2, to demonstrate compliance through self-assessments. 
• Increases oversight of professional and ethical standards of third-party assessors. 
• Allows companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification. 
• Allows the Government to waive inclusion of CMMC requirements under certain limited circumstances.

5) Does my business need to be CMMC Certified?

Most companies in the defense contract supply chain must become Cybersecurity Maturity Model Certified (CMMC). The Department of Defense (DoD) estimates the roll-out of CMMC standards will affect approximately 300k companies. Most Department of Defense (DoD) contracts will require companies achieve a certification level between 1 and 3 to qualify to bid on government contracts.

6) When is the deadline to become Cybersecurity Maturity Model Certified?

The anticipated deadline for Department of Defense (DoD) contractors and subcontractors to become Cybersecurity Maturity Model Certified (CMMC) 2.0 is September 2027, however a Gap Assessment should be conducted now so that your organization has time to examine and determine the appropriate solutions to close the gaps and implement the necessary requirements to become certified. Depending on the gaps found, it can take organizations 12-18+ months to implement the changes needed to address information critical to national security. Even if the DoD delays the inclusion of certification for some procurements, defense contractors should be prepared to meet CMMC requirements.

Visit the our CMMC blog to learn more.